WebApp Sec mailing list archives

RE: IIS log - GETs vs. POSTs

From: Guille -bisho- <bisho () onirica com>
Date: 02 Sep 2003 00:07:19 +0200


Yes. On the net all the HTTP protocol goes encripted. SSL just provides
a secure chanel for a normal HTTP request.

But in the log files the GET params of https connections are logged, so
if the server results compromised, that data is fully accesible, even
backwards.

      That is incorrect.  Here is the transactional model:

Client hello ->
<- Server hello
<- Server certificate
<- serverHelloDone
ClientKeyExchange E(Kserv, PK) ->
ChangeCipherSpec ->
FIN Handshake (MAC) ->
<- ChangeCipherSpec
<- FIN Hanshake (MAC)
Application_data HTTP request -> (GET /?data HTTP/1.0\n\n)
<- Application_data HTTP response (HTTP/1.1 200 OK\n...)
Alert : close_notify ->
<- Alert : close_notify


-- 
bisho!  _        -=] 01/09/2003 [=-
    _ ^(   )       _
   (  (   )  )     \ \___,,,
  (        )        / _____ >-
    ( :: )       >==-
  '. |::| ,  >==-
    \\:://  [ PAZ SI, GUERRA NO ]

Current thread:

Fw: IIS log - GETs vs. POSTs Matt Fisher (Aug 30)
- Re: IIS log - GETs vs. POSTs Jeremy Poteet (Aug 30)
  - Re: IIS log - GETs vs. POSTs RSnake (Aug 30)
    - Re: IIS log - GETs vs. POSTs Lucas Holt (Aug 30)
    - Re: IIS log - GETs vs. POSTs RSnake (Aug 31)
- <Possible follow-ups>
- RE: IIS log - GETs vs. POSTs Calderon, Juan C (EM, DDEMESIS) (Sep 01)
  - RE: IIS log - GETs vs. POSTs RSnake (Sep 01)
    - RE: IIS log - GETs vs. POSTs Guille -bisho- (Sep 01)
    - RE: IIS log - GETs vs. POSTs RSnake (Sep 01)
- RE: IIS log - GETs vs. POSTs Brown, James F. (Sep 17)